Endpoint Protection

 View Only

  • 1.  [SID: 24225] Web Attack: Blackhole Toolkit Website 5 detected. Traffic has been blocked

    Posted Jul 05, 2011 11:05 AM

    Hello,

    Some of my users, from time to time, get this report in the IPS log.

    What annoys me is that traffic direction is outgoing.

    I tried scanning (including using SERT) / checking the computers but didn't find anything.

    Is this detection a false positive ?

    How to check ?

    Many thanks

     



  • 2.  RE: [SID: 24225] Web Attack: Blackhole Toolkit Website 5 detected. Traffic has been blocked

    Posted Jul 05, 2011 11:48 AM

    I would say read this blog on Blackhole Toolkit and make sure your browsers are updated with security updates.

    https://www-secure.symantec.com/connect/blogs/blackhole-fever-continues



  • 3.  RE: [SID: 24225] Web Attack: Blackhole Toolkit Website 5 detected. Traffic has been blocked

    Posted Jul 05, 2011 12:56 PM

    I'd suggest grabbing a support tool with load point selected to get a deeper look first.

    It *is* possible that it's a false positive, but we'd need more data.

    Have you shut down whatever normally uses network traffic to rule other things out?  Like, for example, do the detections happen if, say, Outlook is open, and when it's closed, it doesn't?  This could help to narrow the scope down.



  • 4.  RE: [SID: 24225] Web Attack: Blackhole Toolkit Website 5 detected. Traffic has been blocked

    Posted Jul 05, 2011 02:18 PM

    Hi, 

     My suggestion is , run sep support tool and get the log . Get the packet log . Call the techinical support .

    They will take care . they will tell what to do ? ...



  • 5.  RE: [SID: 24225] Web Attack: Blackhole Toolkit Website 5 detected. Traffic has been blocked

    Posted Jul 05, 2011 06:48 PM

    Our IPS signature for those type of detection are normally quite or if not very accurate.

    Check in your logs which remote IP address it is talking to and check using your favorite search engine about reputation of that IP address.

    Best to have our Support team assist  you in narrowing down the threat.



  • 6.  RE: [SID: 24225] Web Attack: Blackhole Toolkit Website 5 detected. Traffic has been blocked

    Posted Jul 05, 2011 07:34 PM

     

    Hi,

    It is quite possible that all Microsoft patches are installed. However, what about patches for toher softwares for example Adobe. The CVE website talks about some vulnerabilities related Microsoft, Sun Java, Adobe PDF.

    Perform a Vulnerability assessment using automated tools. You can use automated tools to scan your network for vulnerabilities. You can scan for IP addresses and get granular to port numbers and protocols as well (TCP or UDP). These tools have updated information of vulnerabilities. Below are some tools. Nessus can be used for free for non commercial use.
     

     

    Please ensure that the tool used to scan vulnerabilities is updated.

     

    IBM ISS: http://www.iss.net/

    Nessus : http://www.tenable.com/products/nessus

    Core Impact http://www.coresecurity.com/content/core-impact-ov...

    SAINT http://www.saintcorporation.com/

    SARA http://www-arc.com/sara/

    I have used Nessus, it is quite simple tool.

    Here are some sites that provide information of the latest vulnerabilities.

    Common Vulnerability Database http://cve.mitre.org/

    Security focus http://www.securityfocus.com/

    DHS National Vulnerability Database http://nvd.nist.gov

    United States Computer Emergency Readiness Team http://www.us-cert.gov/

    Open Source Vulnerability Database http://osvdb.org/